Exam 4: Information Security Governance and Risk Management

A quantitative risk analysis does not assign monetary and numeric values to all facets of the risk analysis process.

The data custodian implements the information classification and controls after they are determined.

After an organization understands its total and residual risk, it must determine how to get rid of the risk.

Commercial organizations usually classify data using five main classification levels: Top Secret, Secret, Confidential, Sensitive but Unclassified, and Unclassified.

Which risk handling method defines the acceptable risk level the organization can tolerate and reduces the risk to that level?

Which threat agent group includes malicious users?

Which type of data includes patents, trade secrets, and other information that could seriously affect the government if unauthorized disclosure occurred?

What is the probability that a threat agent will exploit vulnerability and the impact if the threat is carried out?

Policies are broad and provide the foundation for development of standards, baselines, guidelines, and procedures.

The first step of a risk assessment is to identify threats and vulnerabilities.

One of the disadvantages of qualitative risk analysis is that all results are subjective.

The Zachman Framework is an enterprise architecture framework.

According to the NIST SP 800-30, what is the last step of a risk assessment?

Which calculation uses the formula AV × EF?

A countermeasure reduces the potential risk.

Which role evaluates the security needs of the organization and develops the internal information security governance documents?

Tangible assets include intellectual property, data, and organizational reputation.

What is a baseline?

Which of the following is an enterprise security architecture framework?

What is the calculation you should use for safeguard value?